• Stars
    star
    133
  • Rank 272,600 (Top 6 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created almost 9 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Awsaml is an application for providing automatically rotated temporary AWS credentials.

Awsaml

(https://coveralls.io/repos/github/rapid7/awsaml/badge.svg?branch=master)](https://coveralls.io/github/rapid7/awsaml?branch=master)

Awsaml is an application for providing automatically rotated temporary AWS credentials. Credentials are stored in ~/.aws/credentials so they can be used with AWS SDKs. Credentials are valid for one hour and are rotated every hour while the application's running.

In order to rotate credentials, Awsaml takes the following actions

  1. Authenticates the user with their identity provider.
  2. Reads the SAML authentication response returned from the identity provider.
  3. Generates new temporary AWS keys by calling the AssumeRoleWithSAML API.
  4. Writes the new temporary credentials to disk.

This flow repeats every hour so the user always has a valid set of AWS keys while the application's running. Awsaml reuses the SAML response from the identity provider, so the user doesn't need to reauthenticate every time.

You can grab prebuilt binaries for Mac, Linux, and Window from the releases page.

Configuration

Configuring Awsaml is a multi-step process that involves a bit of back and forth between Amazon and your identity provider. The general flow looks like this

  1. Create a SAML application in your identity provider.
  2. Create a SAML identity provider in AWS.
  3. Create an IAM role in AWS.
  4. Update the SAML application with ARNs.
  5. Run Awsaml and give it your application's metadata.

1. Create a SAML application in your identity provider

The only tested identity provider is Okta. To use Awsaml with Okta, you'll need to create a SAML 2.0 application in Okta with the following settings

SAML Settings

Name Value
Single Sign On URL http://localhost:2600/sso/saml
Recipient URL http://localhost:2600/sso/saml
Destination URL http://localhost:2600/sso/saml
Audience Restriction http://localhost:2600/sso/saml
Default Relay State
Name ID Format EmailAddress
Response Signed
Assertion Signature Signed
Signature Algorithm RSA_SHA256
Digest Algorithm SHA256
Assertion Encryption Unencrypted
SAML Single Logout Disabled
authnContextClassRef PasswordProtectedTransport
Honor Force Authentication Yes
SAML Issuer ID http://www.okta.com/${org.externalKey}

Once Okta's created your application, it will show you setup instructions.

Among those instructions will be a URL for a generated XML metadata document that will look something like this:

https://www.okta.com/app/{APP_ID}/sso/saml/metadata

Where APP_ID is the application ID Okta has assigned to your newly created app.

You should do two things with this url:

  1. Copy the url and store it somewhere locally because you will need to provide it to the Awsaml desktop application you run later.
  2. Download the contents of the url to a file on disk because you will need to supply that file when you create an identity provider in AWS.

A note on naming things (if you are using Okta)

In the next two steps, you will create and name an identity provider and a role. Be sure to choose short names (fewer than 28 characters between the two).

In the step after you create the identity provider and the role, you will need to take the ARNs for the identity provider and role and submit them to Okta. However, the field into which you will paste these values on the Okta website has a 100 character limit which is not immediately evident.

You will need to provide a string in the format:

{ROLE_ARN},{IDENTITY_PROVIDER_ARN}

The ROLE_ARN will be in this format:

arn:aws:iam::{ACCOUNT_ID}:role/{ROLE_NAME}

Where the ACCOUNT_ID is 12 digits long, and the ROLE_NAME is as long as you want it to be.

The IDENTITY_PROVIDER_ARN will be in this format:

arn:aws:iam::{ACCOUNT_ID}:saml-provider/{PROVIDER_NAME}

Where the ACCOUNT_ID is 12 digits long, and the PROVIDER_NAME is as long as you want it to be.

Thus, when combined, the two ARNs will take up 72 characters without considering the number of characters that the names have.

arn:aws:iam::XXXXXXXXXXXX:role/,arn:aws:iam::XXXXXXXXXXXX:saml-provider/

As a consequence, between the name you give to the identity provider and the name you give to the role, you can only use up to 28 characters.

2. Create a SAML identity provider in AWS

Follow Amazon's documentation for creating a SAML identity provider, in which you will need to upload the metadata document you downloaded in the previous step.

Save the ARN for your identity provider so you can configure it in your application.

3. Create an IAM role in AWS

Follow Amazon's documentation for creating an IAM role with the following modifications:

  1. In step 2 "Select Role Type"
    1. After clicking "Role for Identity Provider Access", choose "Grant API access to SAML identity providers"
  2. In step 3 "Establish Trust"
    1. For 'SAML provider', choose the provider you previous set up
    2. For 'Attribute', choose SAML:iss
    3. For 'Value', supply the Issuer URL provided by Okta when you created the application

The permissions in this role will be the ones users are granted by their the AWS tokens Awsaml generates.

Once the role's created, a trust relationship should have been established between your role and the SAML identity provider you created. If not, you will need to set up a trust relationship between it and your SAML identity provider manually. Here's an example of the JSON policy document for that relationship.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "awsKeysSAML",
    "Effect": "Allow",
    "Principal": {
      "Federated": "arn:aws:iam:saml-provider"
    },
    "Action": "sts:AssumeRoleWithSAML",
    "Condition": {
      "StringEquals": {
        "SAML:iss": "issuer"
      }
    }
  }]
}

Replace the "issuer" value for the "SAML:iss" key in the policy document with the issuer URL for your application. Replace the "arn:aws:iam:saml-provider" value for the "Federated" key in the policy document with the ARN for your SAML identity provider.

Save the ARN for the role so you can configure it in your application.

4. Update the SAML application with ARNs

Now that you have ARNs for the AWS identity provider and role, you can go back into Okta and add them to your application. Edit your application to include the following attributes.

Attribute Statements

Name Name Format Value
https://aws.amazon.com/SAML/Attributes/Role Unspecified arn:aws:iam:role,arn:aws:iam:provider
https://aws.amazon.com/SAML/Attributes/RoleSessionName Unspecified ${user.email}

Replace the "arn:aws:iam:role" value with the ARN of the role in AWS you created. Replace the "arn:aws:iam:provider" value with the ARN of the identity provider in AWS your created.

Multiple Role Support

To support multiple roles, add multiple values to the https://aws.amazon.com/SAML/Attributes/Role attribute. For example:

arn:aws:iam:role1,arn:aws:iam:provider
arn:aws:iam:role2,arn:aws:iam:provider
arn:aws:iam:role3,arn:aws:iam:provider

Special note for Okta users: Multiple roles must be passed as multiple values to a single attribute key. By default, Okta serializes multiple values into a single value using commas. To support multiple roles, you must contact Okta support and request that the SAML_SUPPORT_ARRAY_ATTRIBUTES feature flag be enabled on your Okta account. For more details see this post.

5. Run Awsaml and give it your application's metadata

You can find a prebuilt binary for Awsaml on the releases page. Grab the appropriate binary for your architecture and run the Awsaml application. It will prompt you for a SAML metadata URL. Enter the URL you saved in step 1. If the URL's valid, it will prompt you to log in to your identity provider. If the login's successful, you'll see temporary AWS credentials in the UI.

Building

Awsaml is built using Node and Yarn 3, so make sure you've got a compatible versions installed. Then run Yarn to install dependencies and build Awsaml.

rm -rf node_modules/
yarn install
yarn build

Those commands will create a "out" folder with zipped binaries. If you only want to create binaries for specific platforms, you can set a PLATFORM environment variable before building.

export PLATFORM=linux
yarn build

Allowed values for PLATFORM are darwin, linux and win32. You can build binaries for multiple platforms by using a comma separated list.

export PLATFORM=darwin,linux
yarn build

Similarly, if you want to specify the build architecture, you can set a ARCH environment variable before building.

export ARCH=universal
export PLATFORM=darwin
yarn build

Supported architectures are ia32, x64 , armv7l, arm64, mips64el, universal, or all.

Setup on macOS with Homebrew

A caskfile is bundled with the repository, to install Awsaml with Homebrew simply run:

wget https://raw.githubusercontent.com/rapid7/awsaml/master/brew/cask/awsaml.rb brew install --cask awsaml.rb

There might be an error and warning prompt but it should start succesfully downloading right after When download is succesfully installed, a awsaml was successfully installed! prompt is displayed

License

Awsaml is licensed under a MIT License. See the "LICENSE.md" file for more details.

Special Thanks

More Repositories

1

metasploit-framework

Metasploit Framework
Ruby
31,198
star
2

metasploitable3

Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities.
HTML
4,644
star
3

metasploit-payloads

Unified repository for different Metasploit Framework payloads
C
1,543
star
4

hackazon

A modern vulnerable web app
HTML
944
star
5

ssh-badkeys

A collection of static SSH keys (public and private) that have made their way into software and hardware products.
790
star
6

IoTSeeker

Created by Jin Qian via the GitHub Connector
Perl
749
star
7

recog

Pattern recognition for hosts, services, and content
Ruby
591
star
8

metasploit-vulnerability-emulator

Created by Jin Qian via the GitHub Connector
Perl
428
star
9

mettle

This is an implementation of a native-code Meterpreter, designed for portability, embeddability, and low resource utilization.
C
398
star
10

meterpreter

THIS REPO IS OBSOLETE. USE https://github.com/rapid7/metasploit-payloads INSTEAD
C
318
star
11

sonar

Project Sonar
234
star
12

metasploit-omnibus

Packaging metasploit-framework with omnibus
Ruby
222
star
13

warvox

Ruby
197
star
14

dap

Data Analysis Pipeline
Ruby
151
star
15

nexpose-client

DEPRECATED: Rapid7 Nexpose API client library written in Ruby
Ruby
145
star
16

embedded-tools

AGS Script
143
star
17

myBFF

myBFF - a Brute Force Framework
Python
132
star
18

docker-logentries

Forward all your Docker logs to logentries, like a breeze
JavaScript
111
star
19

le_node

Node module for logentries.com
JavaScript
108
star
20

jsobfu

Obfuscate JavaScript (beyond repair) with Ruby
JavaScript
89
star
21

metasploit-javapayload

THIS REPO IS OBSOLETE. USE https://github.com/rapid7/metasploit-payloads INSTEAD
Java
87
star
22

ruby_smb

A native Ruby implementation of the SMB Protocol Family
Ruby
76
star
23

vm-console-client-python

the UNOFFICIAL (but useful) Python library for the Rapid7 InsightVM/Nexpose RESTful API
Python
76
star
24

vm-automation

Created to simplify interactions with virtual machines
Python
75
star
25

le_js

Client-side JavaScript logging library for Logentries
JavaScript
73
star
26

insightconnect-plugins

Plugin source code for the InsightConnect SOAR product, developer documentation at https://docs.rapid7.com/insightconnect/getting-started
Python
66
star
27

insightvm-sql-queries

InsightVM helpful SQL queries
56
star
28

conqueso

Centrally and dynamically change configuration values of your services!
JavaScript
55
star
29

smbj-rpc

Created by Paul Miseiko via the GitHub Connector
Java
53
star
30

go-get-proxied

Cross platform retrieval of system proxy configurations
Go
52
star
31

metasploit_data_models

MSF database code, gemified
Ruby
51
star
32

rex-powershell

Rex library for dealing with Powershell Scripts
Ruby
51
star
33

DLLHijackAuditKit

This toolkit detects applications vulnerable to DLL hijacking (released in 2010)
JavaScript
51
star
34

metasploit-aggregator

Created by Jeffrey Martin via the GitHub Connector
Ruby
49
star
35

rex

Rex provides a variety of classes useful for security testing and exploit development.
Ruby
48
star
36

le_ruby

Ruby logging support for logentries.com
Ruby
47
star
37

data

HTML
42
star
38

convection

A fully generic, modular DSL for AWS CloudFormation
Ruby
41
star
39

Rapid7-Labs

Rapid7 Labs operates as the division of Rapid7 focused on threat research. It is renowned for providing comprehensive threat intelligence, research and analytics.
YARA
35
star
40

github-connector

The GitHub Active Directory Connector allows managing GitHub organizations with Active Directory.
Ruby
34
star
41

krip

Dead simple encryption, using WebCrypto under the hood
JavaScript
33
star
42

le_dotnet

.NET support for Logentries
C#
30
star
43

le_java

Direct logging support for Java language
Java
30
star
44

metasploit-credential

Code for modeling and managing credentials in Metasploit, implemented as a Rails Engine
Ruby
29
star
45

nexpose-resources

Scripts, SQL queries, and other resources for Nexpose
Ruby
27
star
46

re2-java

re2 for Java
Java
27
star
47

vaccination

C
26
star
48

metasploit-baseline-builder

Created by Jeffrey Martin via the GitHub Connector
Python
26
star
49

pdf-renderer

Golang based app that will render an html page and create a pdf.
Go
26
star
50

nexpose-client-python

DEPRECATED : Rapid7 Nexpose API client library written in Python
Python
25
star
51

metabot

Use security tools from within IRC.
Ruby
24
star
52

lecli

Seamlessly view recent events, run queries and manage your account from the command line
Python
23
star
53

msfrpc-client

Rapid7 Metasploit API client library written in Ruby
Ruby
23
star
54

rex-exploitation

Rex library for various exploitation helpers
Ruby
22
star
55

propsd

Dynamic property management at scale
JavaScript
22
star
56

builderator

Tools to make CI Packer builds awesome
Ruby
22
star
57

sonar-client

Ruby
21
star
58

savery

JavaScript
21
star
59

tabtalk

Secure, encrypted cross-tab communication in the browser
JavaScript
21
star
60

le_chef

Ruby
20
star
61

Websploit-Tests

A place for scripts that describe web exploits to live so they can be used in testing
PHP
20
star
62

rex-text

Rex library for text generation and manipulation
Ruby
19
star
63

godap

The Data Analysis Pipeline
Go
18
star
64

memorandom

Ruby
18
star
65

dogwatch

A Ruby DSL to create DataDog monitors.
Ruby
17
star
66

FullAutoOSINT

Python
17
star
67

metakitty

Metakitty, The Metasploit Resource Portal
Ruby
16
star
68

akheron-proxy

UART proxy tool for inter-chip analysis.
Python
16
star
69

guardian

A lightweight authentication proxy for HTTP services
JavaScript
16
star
70

le_community_packs

Logentries Community Packs
VCL
16
star
71

le_lambda

Python
16
star
72

fastlib

FastLib provides a "jar-like" format for Ruby libraries, with specific features for the Metasploit Framework
Ruby
15
star
73

react-prefixer

JavaScript
15
star
74

nexpose_java_api

DEPRECATED : A library used to connect to the Nexpose API
Java
15
star
75

geppetto

Geppetto - Virtual machine and infrastructure orchestration
Python
14
star
76

raptor-io

The eventual successor to the networking/IO functionalities of Metasploit's REX library
Ruby
13
star
77

presales-engineering

Shell
13
star
78

marionette.carpenter

A thing that makes tables
JavaScript
13
star
79

tokend

A Node.js daemon that interfaces with Vault and Warden to provide a secure method to deliver secrets to servers in the cloud.
JavaScript
13
star
80

metasploit-vagrant-builders

Build tools to generate vagrant images used by metasploit-framework CI
Ruby
13
star
81

rex-socket

The Rex Socket Abstraction Library
Ruby
12
star
82

psych_shield

PsychShield provides a filtering mechanism for YAML.load when using the Psych parser
Ruby
12
star
83

docker-image-analyzer

docker image analyzer
Java
12
star
84

insightvm-api-examples

Created by Ivan Quintanilla via the GitHub Connector
Python
12
star
85

appspider-pentestkit

Created by Denis Podgurskiy via the GitHub Connector
JavaScript
12
star
86

rex-bin_tools

Created by David Maloney via the GitHub Connector
Ruby
11
star
87

attackerkb

Repo for creating-and-tracking issues related to AttackerKB
11
star
88

vm-console-client-ruby

The UNOFFICIAL (but useful) Ruby gem for the Rapid7 InsightVM/Nexpose RESTful API
Ruby
10
star
89

javascript-style-guide

10
star
90

resynth

A network packet synthesis language
Rust
10
star
91

network_interface

C
10
star
92

insightappsec-azure-devops-extension

Rapid7 InsightAppSec Extension for Azure DevOps
TypeScript
10
star
93

insightcloudsec-actions

10
star
94

metasploit-model

Common code, such as validators and mixins, that are shared between ActiveModels in metasploit-framework and ActiveRecords in metasploit_data_models
Ruby
10
star
95

jenkinsci-appspider-plugin

Jenkins plugin that calls the AppSpider API
Java
9
star
96

r7insight_js

Client-side JavaScript logging library for InsightOps
JavaScript
9
star
97

recog-java

Recog java
Java
9
star
98

insightappsec-api-examples

Project intended to provide guides for InsightAppSec API examples and use cases
Python
9
star
99

insightappsec-scan-github-actions

JavaScript
9
star
100

armor

This repository is no longer supported
Java
8
star